Chris Schellman is the President and Founder of BrightLine, which is accredited as a CPA Firm, PCI QSA Company and ISO 27001 Registrar. He is a licensed CPA, CISSP, PCI QSA and ISO Lead Auditor, and has contributed to nearly 1,000 SOC examinations.
When the American Institute of Certified Public Accountants (AICPA) released its Service Organization Controls (SOC) reporting structure in the latter half of 2011, some believed that the new SOC 2 concept would play a prominent role in data center reporting because of its focus on controls relevant to availability, confidentiality, processing integrity, security, and/or privacy using the prescriptive Trust Services Principles. In the several months that have followed, anecdotal evidence suggests that SOC 1, otherwise known as Statements on Standards for Attestation Engagements No. 16 (SSAE 16), the successor standard to SAS 70, remains the clear favorite of data centers and that SOC 2 has yet to gain any significant traction.
In leading BrightLine, a significantly large provider of SOC reporting services, I have the unique capability to monitor major trends in SOC reporting. I have observed that virtually every data center that previously underwent a SAS 70 audit has opted to continue with SOC 1 examinations. Some of these data centers elect to couple their SOC 1 examination with an SOC 2 examination, while almost none have elected to completely forego SOC 1 in favor of SOC 2.
In addition, I have noted that a recurring set of questions are being posed by data center providers. These questions, and the related answers, largely explain why SOC 1 / SSAE 16 remains so prevalent among hosting providers. As such, I would like to take an opportunity to share my personal views on these topics.
Are Data Centers Still Valid Candidates for SOC 1 Examinations?
Yes. Despite what you may have heard, there is currently no technical guidance prohibiting the application of SOC 1 to data centers so long as the data centers host systems relevant to user entities’ internal controls over financial reporting (ICFR).
Some people make the prima facie argument that hosting services have no obvious relevance to user entities’ ICFR, and thus, SOC 1 is not applicable to data centers’ services. A more detailed review of the appropriate guidance reveals that this argument is a subjective interpretation devoid of authoritative support. The AICPA’s SOC 1 guide directly contradicts this argument when it provides examples of valid candidates for SOC 1 examinations that, at first glance, are not obvious candidates for an SOC 1 examination. This list includes ISPs, Web hosting providers and ASPs, including those that “provide services similar to traditional mainframe data center service bureaus.” (Ref. Par. 1.06 of the SOC 1 guide) Obviously, hosting services would fit quite comfortably within the range of these examples.
If we were seeking personal opinions on this matter, AICPA webinars would be an excellent source. Interestingly enough, a panel of AICPA experts openly confirmed during a recent SOC reporting webinar that SOC 1 is applicable to data centers when applicability requirements are met, as seen on the lower right corner of this screen capture taken during the webinar.
Beyond the guidance and expert opinions, we should consider market trends. With major data center providers announcing completed SOC 1 examinations on a weekly basis, it is clear that the industry and the “Big 5” of SOC reporting (BrightLine + the “Big 4” global accounting firms) agree that SOC 1 can be applied to data centers. In other words, the debate about the applicability of SOC 1 to data centers is over.
Can Data Centers Use SOC 2 as a Substitute for SOC 1?
No. The first paragraph of the SSAE 16 standard states that the purpose of SOC 1 examinations is to report on “[…] controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.” Paragraph 1.10 in the SOC 2 guide states that the purpose of SOC 2 is to "[…] report on a service organization’s controls other than those that are likely to be relevant to user entities’ internal control over financial reporting.” This purposeful “poison pill” confirms that hosting providers cannot use SOC 2 examinations as a substitute for SOC 1 examinations.
Further guidance is found in the SAS 70 standard, which is still very much alive and has been revised to provide guidance to user auditors (i.e., the financial statement auditors of user entities). Paragraph 24 of the revised standard requires that the user auditors obtain a “service auditor's report on a service organization's description of the controls that may be relevant to a user entity’s internal control as it relates to an audit of financial statements […]”. As previously noted, SOC 2 cannot report on ICFR topics and is, therefore, not a viable alternative to SOC 1 for such purposes.
Are SOC 2 Examinations “Better” or “More Appropriate” than SOC 1 for Data Centers?
No. There is absolutely nothing in the current guidance that supports the position that SOC 2 is "better" or "more appropriate" than SOC 1 for data center examinations. Both guides contain unambiguous applicability requirements. Data centers either meet the requirements for SOC 1 and/or SOC 2, or they do not. In the absence of new AICPA guidance, all claims to the contrary are personal opinion and should be treated as such.
Is It True that SOC 1 Does Not Address Logical Security, Physical Security and Processing Integrity Topics?
No. The notion that SOC 1 does not address security or processing integrity is one of the most common errors made by those unfamiliar with SOC reporting. This error often sources to a misconception that SOC 1 examinations opine on financial reporting controls. As I noted above, SOC 1 examinations actually report on controls likely to be relevant to user entities controls over their own financial reporting, of which security and processing integrity controls are highly relevant. In fact, the SOC 1 guide includes multiple examples of control objectives and illustrative controls related to logical security, physical security and processing integrity of transactional services. (Ref. Par. 3.63, 4.48 & illustrative reports of the SOC 1 guide, among many others)
Can Data Centers Undergo Both Types of Examinations?
Yes. SOC 1 and SOC 2 examinations are not mutually exclusive examinations. Data centers are often valid candidates for both SOC 1 and SOC 2 examinations. They are part of a small portion of the overall service organization population for which this is likely to be true and worthwhile.
Why is this the case? Because data centers normally host systems that are relevant to the ICFR of some customers and not for others. Therefore, the former will only accept an SOC 1 report for reasons described above, while the latter are not authorized users of an SOC 1 report and may not rely on it to obtain assurance on topics such as availability, confidentiality, processing integrity, security and/or privacy. So while nearly every data center that formerly underwent a SAS 70 examination is continuing with an SOC 1 examination in order to meet the needs of certain customers, many of those organizations are seeing value in coupling it with an SOC 2 examination for the benefit of customers that are not concerned with ICFR topics.
SOC 1/SSAE 16 Remains King of the Hill
While SOC 2 has potential, SOC 1 remains one of the most important assurance tools for hosting providers. Decision makers should recognize that data centers are often valid candidates for SOC 1 and SOC 2 examinations. Those providers considering either type of SOC examination should realize that it is never a matter of SOC 1 vs. SOC 2. The real decision is whether the organization should undergo an SOC 1 examination, and separately, whether the organization should undergo an SOC 2 examination. It is often advisable to engage a CPA firm with significant SOC reporting experience in these discussions. Such informed analysis may conclude that SOC 1, SOC 2, both, or neither, are appropriate for an organization’s particular circumstances.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.